F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyberthreat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.

In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in Canada during the winter of 2019 was characterized by a large amount of in-country attack traffic aimed at Canadian systems.

• OVH SAS hosted the top six IP addresses, all geolocated in Canada, which sent a substantial amount of traffic toward Canadian systems.
• Three out of 10 of the top attacking IP addresses were engaged in abusive port scanning and credential stuffing attacks against systems in Canada, targeting RFB/VNC port 5900, which was noted in the fall of 2019 and continued during this time period. These attacks were seen around the world.
• Canada itself was the top source traffic country targeting Canadian systems. We observed over four times as much attack traffic coming from in-country systems than from Russia, the source country in second position.
• The United States and Canada had identical top attacked ports during this time period, indicating that attack campaigns may have had a North American geographical focus. Attackers were especially interested in SMB and SSH. The top targeted port, SMB port 445, was commonly targeted globally because exploiting a vulnerability on this service can give a malicious actor access to the entire system.

Top Source Traffic Countries

Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The phrase “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”

Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia (see Figure 1). Notably, Russia also appears in the top source traffic countries for Europe. However, we cannot assign attribution on this traffic because we only have the geolocation of the IP addresses. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the RFB/VNC port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries attacked all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.